$ cat privacy-policy.md

Privacy Policy

Last updated: February 2026

1. Introduction

Attesso ("Attesso," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy describes how we collect, use, disclose, retain, and protect your personal information when you use our website, APIs, SDKs, dashboard, mobile applications, and related services (collectively, the "Services").

This Privacy Policy applies to all users of the Services, including Developers who integrate our APIs, End Users who authorize financial transactions, and visitors to our website. By using the Services, you consent to the practices described in this Privacy Policy.

If you are located in the European Economic Area (EEA), United Kingdom (UK), or California, please refer to the jurisdiction-specific sections below for additional information about your rights.

2. Information We Collect

2.1 Information You Provide

  • Account Information: Name, email address, company name, and other information provided during registration through our authentication provider (Clerk).
  • Identity Verification Data: Government-issued identification, tax identification numbers, business formation documents, proof of address, and beneficial ownership information submitted during Stripe Connect onboarding for live mode activation.
  • Payment Information: Bank account details, payment card numbers, and billing addresses. This information is collected and processed directly by our Payment Processor (Stripe) and is not stored on Attesso's servers. See Section 8 for details.
  • Mandate Data: Transaction amounts, spending limits, merchant category restrictions, fee modes, and authorization parameters you configure when creating Mandates.
  • Agent Configuration: Agent names, descriptions, and API key metadata.
  • Communications: Any information you provide when contacting support, submitting feedback, or communicating with us through any channel.

2.2 Information Collected Automatically

  • Device and Browser Information: IP address, browser type and version, operating system, device identifiers, screen resolution, and language preferences.
  • Usage Data: Pages visited, features used, API endpoints called, timestamps, click patterns, and referring URLs.
  • Transaction Data: Mandate creation events, authorization requests, capture amounts, settlement records, and associated metadata.
  • API Logs: Request and response metadata (excluding sensitive payloads), API key identifiers, rate limit status, and error codes.
  • Authentication Events: WebAuthn/FIDO2 ceremony metadata, including authenticator attestation type, credential ID, origin, and challenge-response timestamps. We do not receive or store your private keys or biometric data (see Section 9).

2.3 Information from Third Parties

  • Payment Processor: Stripe may share transaction status, dispute notifications, payout information, and onboarding verification results with us.
  • Authentication Provider: Clerk may share authentication events, session data, and account status with us.
  • Risk and Fraud Prevention: We may receive information from fraud prevention services, sanctions screening databases, and card network risk signals.

3. How We Use Your Information

We use the information we collect for the following purposes:

3.1 Service Delivery

  • Process and authorize Mandates and financial transactions.
  • Issue and manage virtual card credentials.
  • Authenticate users and verify identities.
  • Manage your account, API keys, and agent configurations.
  • Process payouts and reconcile settlements.

3.2 Security and Risk Management

  • Detect, prevent, and investigate fraud, unauthorized transactions, and other illegal activities.
  • Operate our risk assurance engine, including anomaly detection and credential revocation.
  • Monitor for suspicious patterns and enforce spending constraints.
  • Comply with sanctions screening and anti-money laundering obligations.
  • Maintain and enforce our block store for network-wide credential invalidation.

3.3 Legal and Regulatory Compliance

  • Comply with applicable laws, regulations, and legal processes, including the Bank Secrecy Act, OFAC sanctions requirements, and card network rules.
  • Respond to subpoenas, court orders, and lawful requests from law enforcement or regulatory authorities.
  • Maintain records as required by financial regulations.

3.4 Communication

  • Send transactional notifications (Mandate authorizations, transaction alerts, security events).
  • Provide customer support and respond to inquiries.
  • Send service updates, security alerts, and administrative messages.
  • Send promotional communications (with your consent, where required by law).

3.5 Service Improvement

  • Analyze usage patterns to improve the Services, APIs, and documentation.
  • Develop new features and capabilities.
  • Conduct internal research and analytics.
  • Debug and fix technical issues.

4. Legal Bases for Processing (EEA/UK)

If you are located in the European Economic Area or the United Kingdom, we process your personal data based on the following legal grounds:

  • Contract Performance: Processing necessary to provide the Services you have requested, including transaction processing, account management, and mandate execution.
  • Legal Obligation: Processing required to comply with applicable laws, including anti-money laundering regulations, sanctions screening, tax reporting, and financial recordkeeping requirements.
  • Legitimate Interests: Processing necessary for our legitimate interests, including fraud prevention, service security, product improvement, and internal analytics, where those interests are not overridden by your rights.
  • Consent: Where required by applicable law, we process certain information based on your explicit consent, which you may withdraw at any time.

5. How We Share Your Information

We do not sell your personal information to third parties. We may share your information in the following circumstances:

  • Payment Processor (Stripe): We share transaction data, identity verification information, and account details with Stripe to process payments, issue virtual cards, manage payouts, and comply with financial regulations. Stripe's use of this data is governed by the Stripe Privacy Policy.
  • Authentication Provider (Clerk): Account and session information is processed by Clerk for user authentication. See the Clerk Privacy Policy.
  • Card Networks: Transaction data is shared with Visa and its member banks as required for payment processing and dispute resolution.
  • Infrastructure Providers: We use cloud infrastructure providers (including but not limited to hosting, database, and caching services) who process data on our behalf under data processing agreements with appropriate safeguards.
  • Developers: When an End User authorizes a Mandate through a Developer's application, the Developer receives Mandate status, transaction data, and limited account information necessary for their application to function. Developers are bound by our Terms of Service regarding data handling.
  • Legal Requirements: We may disclose information when required by law, subpoena, court order, or other legal process, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
  • Law Enforcement and Regulators: We may share information with law enforcement agencies, financial regulators, or other governmental authorities when required by law or when we have a good-faith belief that doing so is necessary to comply with legal obligations or prevent fraud or financial crime.
  • Business Transfers: In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your information may be transferred as part of the transaction. We will notify you of any such change and any choices you may have regarding your information.

6. Data Retention

We retain your personal information for as long as necessary to fulfill the purposes for which it was collected and to comply with our legal obligations. Specific retention periods include:

  • Account Data: Retained for the duration of your account and for a reasonable period after account closure to handle any post-closure inquiries or disputes.
  • Transaction Records: Retained for a minimum of seven (7) years after the transaction date, as required by financial recordkeeping regulations, anti-money laundering laws, and card network rules.
  • Identity Verification Data: Retained for a minimum of five (5) years after the business relationship ends, as required by Customer Identification Program (CIP) and Know Your Customer (KYC) regulations.
  • API Logs: Retained for up to 90 days for operational purposes and debugging, unless longer retention is required for security investigations.
  • Risk and Fraud Data: Retained for as long as necessary to protect against fraud and enforce our block store, which may extend beyond account closure.

When personal information is no longer needed, we will securely delete or anonymize it. Anonymized data that cannot reasonably be used to identify you may be retained indefinitely for analytics and service improvement purposes.

7. Data Security

We implement technical and organizational security measures designed to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:

  • Encryption: All data is encrypted in transit using TLS 1.2 or higher. Sensitive data is encrypted at rest using AES-256 or equivalent encryption standards.
  • Access Controls: Access to personal information is restricted to authorized personnel on a need-to-know basis, with role-based access controls and multi-factor authentication.
  • Infrastructure Security: Our infrastructure is hosted in SOC 2-compliant data centers with physical security controls, network segmentation, and intrusion detection systems.
  • Payment Card Security: We do not store, process, or transmit payment card numbers directly. All card data is handled by our PCI DSS Level 1-compliant Payment Processor (Stripe).
  • API Security: API authentication uses cryptographically generated keys with scoped permissions. Rate limiting, request signing, and audit logging are enforced on all API endpoints.
  • Monitoring: We maintain continuous security monitoring, logging, and alerting to detect and respond to security incidents.

While we implement commercially reasonable security measures, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security of your information.

8. Payment Processor Data Handling

Attesso uses Stripe as its Payment Processor for all payment-related operations. When you provide payment information (such as card numbers or bank account details), this information is collected and processed directly by Stripe and is not stored on Attesso's servers. Key points:

  • Stripe is a PCI DSS Level 1 service provider, the highest level of certification in the payment card industry.
  • Payment credentials entered on our platform are transmitted directly to Stripe using their client-side libraries (Stripe.js / Stripe Elements).
  • Attesso receives only tokenized references, card type, last four digits, and expiration dates from Stripe. We never have access to full card numbers or CVVs.
  • Virtual cards issued through the Services are created and managed by Stripe Issuing. Card numbers, PINs, and security codes are stored and managed by Stripe.
  • For more information about how Stripe handles your data, please review the Stripe Privacy Policy.

9. Biometric and Authentication Data

Attesso uses FIDO2/WebAuthn for user authentication. This is an important distinction from other biometric systems:

  • No Biometric Data Transmitted: When you authenticate using a passkey (fingerprint, face recognition, etc.), the biometric matching occurs entirely on your device in a Secure Enclave, TPM, or TEE. No biometric data (fingerprints, facial geometry, etc.) is ever transmitted to or stored by Attesso.
  • What We Receive: We receive only a cryptographic assertion (a digital signature) that proves you successfully authenticated on your device. This assertion contains no biometric information.
  • What We Store: We store your public key credential (credential ID, public key, sign count, and attestation metadata). These are not biometric data and cannot be used to reconstruct or infer your biometric characteristics.
  • Hardware-Bound Keys: Private keys are generated and stored in your device's Secure Enclave or equivalent hardware security module. They are non-exportable, origin-bound, and cannot be extracted by Attesso or any third party.

To the extent that any applicable state biometric privacy law (such as the Illinois Biometric Information Privacy Act) applies, please note that Attesso does not collect, capture, or otherwise obtain biometric identifiers or biometric information as defined by such laws.

10. Cookies and Tracking Technologies

We use cookies and similar technologies on our website and dashboard:

  • Strictly Necessary Cookies: Required for authentication, session management, and security. These cannot be disabled.
  • Functional Cookies: Used to remember your preferences and settings (e.g., dashboard layout, theme).
  • Analytics Cookies: Used to understand how visitors use our website and to improve the Services. We use privacy-respecting analytics that do not track individuals across sites.

We do not use third-party advertising cookies or participate in cross-site tracking or behavioral advertising networks. You can manage cookie preferences through your browser settings. Disabling strictly necessary cookies may prevent the Services from functioning correctly.

11. International Data Transfers

Attesso is based in the United States and primarily processes data within the United States. If you access the Services from outside the United States, your information may be transferred to, stored, and processed in the United States or other countries where our service providers operate.

For transfers of personal data from the EEA or UK to countries that have not received an adequacy decision from the European Commission or UK Secretary of State, we rely on appropriate safeguards, including Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by additional security measures where necessary. You may request a copy of the applicable transfer mechanism by contacting us at privacy@attesso.com.

12. Your Rights

Depending on your location and applicable law, you may have the following rights regarding your personal information:

12.1 General Rights

  • Access: Request a copy of the personal information we hold about you.
  • Correction: Request correction of inaccurate or incomplete personal information.
  • Deletion: Request deletion of your personal information, subject to legal retention requirements (such as financial recordkeeping obligations).
  • Data Portability: Request your data in a structured, commonly used, and machine-readable format.
  • Opt-Out of Marketing: Unsubscribe from promotional communications at any time via the link in any marketing email.
  • Mandate Revocation: Revoke any active Mandate at any time through the Services or by contacting us.

12.2 EEA/UK Additional Rights (GDPR)

  • Restriction of Processing: Request that we restrict processing of your personal data in certain circumstances.
  • Objection: Object to the processing of your personal data based on legitimate interests.
  • Withdraw Consent: Where processing is based on consent, withdraw your consent at any time without affecting the lawfulness of prior processing.
  • Complaint: Lodge a complaint with your local data protection authority.

12.3 California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

  • Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected, the sources of collection, the business purposes for collection, and the categories of third parties with whom we share information.
  • Right to Delete: Request deletion of your personal information, subject to certain exceptions.
  • Right to Correct: Request correction of inaccurate personal information.
  • Right to Opt-Out of Sale/Sharing: We do not sell or share your personal information for cross-context behavioral advertising as defined by the CCPA/CPRA.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.
  • Right to Limit Use of Sensitive Personal Information: You may limit the use of sensitive personal information to purposes necessary for the Services.

Categories of Personal Information Collected (CCPA Disclosure): In the preceding 12 months, we have collected the following categories of personal information: identifiers (name, email, IP address); financial information (payment and bank account details via Stripe); commercial information (transaction history, mandate records); internet or electronic network activity (usage data, API logs); geolocation data (derived from IP address); and professional information (company name, role).

To exercise any of these rights, contact us at privacy@attesso.com. We will respond to verifiable requests within the timeframes required by applicable law (generally 30 days for GDPR, 45 days for CCPA). We may need to verify your identity before processing your request. Please note that certain data may be exempt from deletion requests due to financial recordkeeping requirements.

13. Children's Privacy

The Services are not directed to individuals under 18 years of age. We do not knowingly collect personal information from children under 18. If we learn that we have collected personal information from a child under 18 without parental consent, we will take steps to delete that information promptly. If you believe we have collected information from a child under 18, please contact us at privacy@attesso.com.

14. Do Not Track

Some browsers transmit a "Do Not Track" (DNT) signal. Because there is no accepted standard for how to respond to DNT signals, we do not currently respond to DNT signals. However, as stated in Section 10, we do not engage in cross-site tracking or behavioral advertising.

15. Third-Party Links

The Services may contain links to third-party websites, services, or applications. This Privacy Policy does not apply to any third-party services. We are not responsible for the privacy practices of third parties. We encourage you to review the privacy policies of any third-party services you access.

16. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Services, or applicable law. If we make material changes, we will provide at least 30 days' advance notice via email to the address associated with your account or through a prominent notice within the Services. The "Last updated" date at the top of this policy indicates when the most recent revisions were made. Your continued use of the Services after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.

17. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: